Text

SUMMARY

OF NRC ACTIONS - RESPONSE TO GAO REPORTS

1. Nuclear Nonproliferation: Additional Actions Needed to Increase the Security of U.S.

Industrial Radiological Sources (GAO-14-293)...page 2

2. Federal Software Licenses: Better Management Needed to Achieve Significant Savings Governmentwide (GAO-14-413)...page 4

3. Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices (GAO-15-98)...page 6

4. Data Center Consolidation: Agencies Making Progress, but Planned Savings Goals Need to be Established (GAO-16-323)....page 7

5. Nuclear Security: NRC Has Enhanced the Controls of Dangerous Materials, but Vulnerabilities Remain (GAO-16-330)..page 8

6. Information Security: Agencies Need to Improve Controls over Selected High-Impact Systems (GAO-16-501)page 11

7. Information Technology: Agencies Need to Improve Their Application Inventories to Achieve Additional Savings (GAO-16-511)...page 12

8. Nuclear Material: Agencies Have Sound Procedures for Managing Exchanges but Could Improve Inventory Monitoring (GAO-16-713)...page 13

9. Strategic Human Capital Management: NRC Could Better Manage the Size and Composition of Its Workforce by Further Incorporating Leading Practices (GAO-17-233)...page 14

10. Data Center Optimization: Agencies Need to Address Challenges and Improve Progress to Achieve Cost Savings Goal (GAO-17-448)..page 16

11. Information Technology: Agencies Need to Involve the Chief Information Officers in Reviewing Billions of Dollars in Acquisitions (GAO-18-42).page 17

12. Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities (GAO-18-93)page 18

13. Nuclear Regulatory Commission: Additional Action Needed to Improve Process for Billing Licensees (GAO-18-318)..page 19

14. Cybersecurity Workforce: Agencies Need to Improve Baseline Assessments and Procedures for Coding Positions (GAO-18-466)..page 22 Enclosure

2 The U.S. Government Accountability Office Report - Nuclear Nonproliferation: Additional Actions Needed to Increase the Security of U.S. Industrial Radiological Sources June 2014 (GAO-14-293)

The GAO, in its report, Nuclear Nonproliferation: Additional Actions Needed to Increase the Security of U.S. Industrial Radiological Sources, made three recommendations solely to the NRC and one recommendation jointly to the NRC, the U.S. Department of Energy (DOE) and the U.S. Department of Homeland Security (DHS) regarding security at NRC-licensed and Agreement-State licensed facilities using high-risk industrial radiological sources. The status of the actions taken by the NRC in response to the GAO recommendation that remained open as of the NRCs last report is provided below.

Recommendation 3:

To ensure that the security of radiological sources at industrial facilities is reasonably assured, the Chairman of the Nuclear Regulatory Commission should conduct an assessment of the trustworthiness and reliability (T&R) process - by which licensees approve employees for unescorted access - to determine if it provides reasonable assurance against insider threats, including 1) determining why criminal history information concerning convictions for terroristic threats was not provided to a licensee during the T&R process to establish if this represents an isolated case or a systemic weakness in the T&R process; and 2) revising, to the extent permitted by law, the T&R process to provide specific guidance to licensees on how to review an employees background. The NRC should also consider whether certain criminal convictions or other indicators should disqualify an employee from T&R or trigger a greater role for the NRC.

Status:

The case referenced by GAO in the first part of this recommendation referred to a misdemeanor domestic dispute on a local law enforcement record, 12 years prior to the request for unescorted access, which was not cited on the Federal Bureau of Investigation (FBI) criminal history record.

As a result, the information was not available to support the T&R determination for the individual, and also did not reflect a performance deficiency or a systemic weakness.

Regarding the second part of this recommendation, the NRC reviewed the effectiveness of the requirements in 10 CFR Part 37 to determine whether any additional security measures, guidance updates, rulemaking changes, or licensee outreach efforts are appropriate. The completion of the 10 CFR Part 37 program review included insights into the effectiveness of the T&R process. Specifically, the review generated recommendations for enhancements in the area of T&R, including, among other things, improved guidance and expanding the list of information related to what information individuals must disclose when applying for unescorted access; development of sample forms or templates for use in T&R evaluations; and improved coordination efforts with the FBI to share potential terrorist threat information involving individuals seeking approval for new or continued unescorted access to Category 1 and 2 quantities of radioactive materials. The details of the review were included in a December 14, 2016 report to Congress. Revisions to NUREG-2155, Revision 1 Implementation Guidance for 10 CFR Part 37, Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material, are underway to incorporate relevant enhancements. For example, the staff is in the process of revising Annex A, Additional Guidance for Evaluating an Individuals Trustworthiness and Reliability for Allowing Unescorted Access to Certain Radioactive Material,

3 of NUREG-2155, Revision 1, in order to provide specific guidance to licensees on how to review and employees background. The revision will support materials licensees in implementing the regulations related to making T&R determinations to grant unescorted access to risk-significant quantities of radioactive material. The revised guidance will include specific examples of information that could be collected during background investigations in relation to employment, military service, education, and references regarding personal history disclosure. The enhanced guidance will also include more than 50 distinct indicators that could raise T&R concerns, such as foreign influence, personal conduct, and financial considerations. These examples may be utilized by licensees to establish disqualifying criteria for granting unescorted access to risk-significant quantities of radioactive materials, as appropriate.

Additionally, in response to GAOs recommendation for the NRC to consider whether certain criminal convictions or other indicators should disqualify an employee from T&R or trigger a greater role for the NRC, in late 2016, the NRC staff completed inspection activities associated with Temporary Instruction (TI) 2800/042, Evaluation of Trustworthiness and Reliability Determinations, and used the information gained from these activities to consider additional enhancements to the T&R process. The NRC gleaned valuable information about licensees implementation of the requirements to conduct background checks on personnel who may be granted unescorted access to Category 1 or Category 2 quantities of radioactive material.

Overall, this focused evaluation demonstrated that licensees appropriately use the information provided by the required FBI criminal history reports, in conjunction with information on employment history, personal references, and education checks, in making a T&R determination. While some licensees do utilize disqualification factors, either of their own determination or as provided in NRC guidance or by other Federal programs (such as the Transportation Security Administration Transportation Worker Identification Credential), the NRC found that licensees consider all information that they gather during the background investigation to make the most informed decisions possible. Consequently, the NRC staff did not identify a need for the agency to play a greater role in licensee T&R processes or to establish criteria that would disqualify an individual from being eligible for unescorted access to risk-significant quantities of radioactive materials.

The NRC considers this GAO recommendation to be closed.

4 The U.S. Government Accountability Office Report - Federal Software Licenses: Better Management Needed to Achieve Significant Savings Governmentwide May 2014 (GAO-14-413)

The GAO, in its report Federal Software Licenses: Better Management Needed to Achieve Significant Savings Government-Wide, made recommendations to government entities, including the NRC, to ensure the effective management of software licenses. The status of the actions taken by the NRC in response to the GAO recommendations that remain open as of the NRCs last report is provided below.

Recommendation 2:

Employ a centralized software license management approach that is coordinated and integrated with key personnel for the majority of agency software license spending and/or enterprise-wide licenses.

Status:

The NRC completed the Software Management Centralization Plan in April 2018.

The NRC considers this GAO recommendation to be closed.

Recommendation 3:

Establish a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses.

Status:

Scanning tools were used to generate a list of all information technology (IT) assets in the NRC environment, including software. The tools used by the current service provider were not configured to collect and report on software licenses. A manual effort was used to gather and verify data associated with the software on the list to complete a comprehensive baseline inventory of software licenses. Using this inventory of software licenses, NRC optimized the number of licenses recently purchased in the Microsoft Enterprise Agreement and streamlined services within the Cisco maintenance agreement. NRC transitioned its software inventory to BMCs Remedy IT Service Management Toolset and continues to use automated discovery tools for validation.

The NRC considers this GAO recommendation to be closed.

Recommendation 4:

Regularly track and maintain a comprehensive inventory of software licenses using automated tools and metrics.

Status:

The NRC deployed the Software Licensing Module within BMCs Remedy IT Service Management Toolset, which is the agencys automated Service Delivery Lifecycle Management

5 toolset. NRC now uses this automated inventory to track and maintain software license inventory and metrics.

The NRC considers this GAO recommendation to be closed.

Recommendation 5:

Analyze agency-wide software license data, such as costs, benefits, usage, and trending data, to identify opportunities to reduce costs and better inform investment decision-making.

Status:

Using the comprehensive inventory to analyze software licensing data, the NRC optimized the number of licenses purchased in the Microsoft Enterprise Agreement and streamlined the cost of the CISCO Hardware and Software Maintenance agreement. Additionally, the NRC relies on this information to continually identify opportunities to reduce costs and better inform investment decision-making for additional software purchases and renewal of maintenance agreements.

The NRC considers this GAO recommendation to be closed.

Recommendation 6:

Provide software license management training to appropriate agency personnel addressing contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management.

Status:

The NRC IT asset management (ITAM) program now requires training and communication, as appropriate, for all key personnel. On September 19, 2018, NRC personnel associated with software asset management attended the Department of Defense (DOD) Enterprise Software Initiative Webinar - ITAM/Software License Management. Other DOD training offerings have been identified for key NRC personnel, covering topics such as contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management. The NRC will also participate in software license management training that is currently being developed by the Office of Management and Budget, the Federal Acquisition Institute, and the Defense Acquisition University.

The NRC considers this GAO recommendation to be closed.

6 The U.S. Government Accountability Office Report - Nuclear Regulatory Commission:

NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices December 2014 (GAO-15-98)

The GAO, in its report, Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices, recommended that the NRC align its procedures with relevant cost-estimating best practices identified in GAO-089-3SP, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs (March 2009). The status of the actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation:

To improve the reliability of its cost estimates, as NRC revises its cost estimating procedures, the NRC Chairman should ensure that the agency aligns the procedures with relevant cost estimating best practices identified in the GAO Cost Estimating and Assessment Guide and ensure that future cost estimates are prepared in accordance with relevant cost estimating best practices.

Status:

The NRC is updating its cost-benefit guidance to incorporate cost estimating best practices and the treatment of uncertainty to support the development of realistic estimates of the costs to implement proposed requirements. This guidance update addresses relevant best practices provided by the GAO and feedback provided by licensees, the Nuclear Energy Institute, and other stakeholders. This update will also consolidate guidance documents, incorporate recommendations from the GAO report on the NRCs cost-estimating practices and cost-estimating best practices from the GAO guide, and capture best practices for the consideration of qualitative factors in accordance with Commission direction in the Staff Requirements Memorandum (SRM) for SECY-14-0087.

The cost-benefit guidance update was released on April 14, 2017, for a 60-day public comment period. Comments received were resolved and in March 2018, the staff submitted the draft of the final NUREG to the Commission (Agencywide Documents Access and Management System Accession (ADAMS) Accession No. ML17221A000). Following Commission review and approval, the staff will issue the final NUREG and reference it on the NRC public web site.

This GAO recommendation remains open.

7 The U.S. Government Accountability Office Report - Data Center Consolidation:

Agencies Making Progress, but Planned Savings Goals Need to be Established March 2016 (GAO-16-323)

In 2010, as the focal point for IT management across the government, OMBs Federal Chief Information Officer launched the Federal Data Center Consolidation Initiative to reduce the growing number of data centers. Subsequently, IT reform legislation was enacted in December 2014 that included a series of provisions related to the federal data center consolidation effort, including requiring agencies to report on cost savings and requiring GAO to review agency inventories and strategies on an annual basis. The status of the actions taken by the NRC in response to the GAO recommendation in the 2016 report is provided below.

Recommendation:

The Secretaries of the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Attorney General of the United States; the Administrators of the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, and the U.S. Agency for International Development; the Director of the Office of Personnel Management; the Chairman of the Nuclear Regulatory Commission; and the Commissioner of the Social Security Administration should take action to improve progress in the data center optimization areas that we reported as not meeting OMBs established targets, including addressing any identified challenges.

Status:

The NRC continues to work on meeting the remaining metrics. The NRC is installing energy metering, power usage effectiveness, and tiered server utilization software in the NRC environment. The NRC plans to have this completed by the second quarter of fiscal year 2019.

This GAO recommendation remains open.

8 The U.S. Government Accountability Office Report - Nuclear Security: NRC Has Enhanced the Controls of Dangerous Materials, but Vulnerabilities Remain July 2016 (GAO-16-330)

The GAO, in its report, Nuclear Security: NRC Has Enhanced the Controls of Dangerous Materials, but Vulnerabilities Remain, made three recommendations to the NRC to address vulnerabilities associated with licensing and accountability strategies for Category 3 sources and quantities of radioactive material. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.

Recommendation 1:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should take the steps needed to include Category 3 sources in the National Source Tracking System and add agreement state Category 3 licenses to the Web-based Licensing System as quickly as reasonably possible.

Status:

In early 2016, the NRC formed a working group, the License Verification and Transfer of Category 3 Sources Working Group (LVWG), to evaluate license verification and transfer requirements for Category 3 sources. The LVWG evaluated the inclusion of Category 3 licenses in the NRCs Web-Based Licensing System and the methods available for verifying the legitimacy of licenses held by those licensees prior to the transfer of material. The working group also evaluated the inclusion of Category 3 sources in the National Source Tracking System (NSTS) for the specific purpose of preventing licensees from accumulating Category 3 sources into Category 2 or higher quantities of radioactive material. The LVWG made recommendations to enhance the existing processes for license verification and source tracking beyond Category 1 and Category 2 thresholds. These recommendations were provided to the Commission as part of the staffs reevaluation of Category 3 sources as outlined below.

On October 18, 2016, in the Staff Requirements Memorandum (SRM) for COMJMB-16-0001, Proposed Staff Re-Evaluation of Category 3 Source Accountability, the Commission directed the NRC staff to re-evaluate Category 3 source accountability given the agencys operating experience with higher-risk sources and in response to findings made by GAO. In the direction provided in the SRM, the Commission stated that the staff should assess the risks posed by the aggregation of Category 3 sources into Category 2 quantities as part of its efforts to re-evaluate Category 3 source accountability.

A working group - the Category 3 Source Security and Accountability Working Group - was formed to address the following tasks: evaluating the pros and cons of different methods for verifying the validity of a license before a Category 3 source is transferred; evaluating the pros and cons of including Category 3 sources in the NSTS; assessing any additional options to address the source accountability recommendations made by the GAO; identifying changes in the threat environment since 2009 and evaluating whether those changes support expanding the NSTS to include Category 3 sources; assessing the risks posed when a licensee possesses enough Category 3 sources to require the higher level protections for Category 2 quantities; and collaborating with our Agreement State partners, non-Agreement States, licensees, public

9 interest groups, industry groups, and the reactor community to fully assess the regulatory impact of any recommendation made by the working group. The Category 3 Source Security and Accountability working group considered recommendations made by the LVWG and also informed its evaluation with the results of the NRC staffs review of the effectiveness of 10 CFR Part 37, the results of which were reported to Congress in December 2016.

As directed by the Commission, the Category 3 Source Security and Accountability Working Group developed a notation vote paper that was submitted to the Commission in August 2017 (SECY-17-0083, Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001). The Commission is currently considering the staffs analysis and recommendations.

This GAO recommendation remains open.

Recommendation 2:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should at least until such time that Category 3 licenses can be verified using the License Verification System, require that transferors of Category 3 quantities of radioactive materials confirm the validity of a would-be purchaser's radioactive materials license with the appropriate regulatory authority before transferring any Category 3 quantities of licensed materials.

Status:

The LVWG evaluated this recommendation, and its analysis was considered by the Category 3 Source Security and Accountability Working Group. The Commission is currently considering the staffs analysis and recommendations.

This GAO recommendation remains open.

Recommendation 3:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should, as part of the ongoing efforts of NRC working groups meeting to develop enhancements to the prelicensing requirements for Category 3 licenses, consider requiring that an on-site security review be conducted for all unknown applicants of Category 3 licenses to verify that each applicant is prepared to implement the required security measures before taking possession of licensed radioactive materials.

Status:

In early 2016, the NRC formed a working group, the Enhancements to Pre-Licensing Guidance Working Group (PLWG), to evaluate pre-licensing activities and develop recommendations for enhancements to the pre-licensing process. The PLWG developed recommendations that involve changes to existing regulations and revisions to existing training, guidance, and procedures. The NRC staff developed an action plan for the non-rulemaking recommendations (e.g., revisions to license applicant guidance documents, revisions to NRC pre-licensing

10 guidance and checklists) and is currently implementing it. The NRC staff has also provided other recommendations to the Commission for consideration. Upon receipt of Commission direction on this and other recommendations pertaining to materials licensees, the NRC staff will develop a rulemaking plan for Commission consideration.

In addition, the NRC staff developed an action plan for the recommendations that do not require rulemaking and has completed several items outlined in the action plan. For example, the NRC has: 1) issued a revision to the pre-licensing guidance (e.g., to emphasize that licenses should not be hand delivered during a pre-licensing site visit and to outline processes to conduct additional screening of applicants and evaluate any potential security risks identified during the application review, as appropriate); and 2) updated the licensing and inspection courses offered at the NRC Technical Training Center and offered multiple targeted training sessions to ensure that license reviewers understand the revisions to the pre-licensing guidance and to reinforce expectations regarding adherence to licensing processes.

This GAO recommendation remains open.

11 The U.S. Government Accountability Office Report - Information Security: Agencies Need to Improve Controls over Selected High-Impact Systems May 2016 (GAO-16-501)

Federal systems categorized as high impact are those systems that hold sensitive information, and the loss of this information could cause individuals, the government, or the nation catastrophic harm. These systems warrant increased security to protect them.

The status of the actions taken by the NRC in response to the GAO recommendation that remained open as of the NRCs last report is provided below.

Recommendation 5:

Update the standard that addresses continuous monitoring to include metrics and ongoing status monitoring.

Status:

The NRC published the updated Information Security Continuous Monitoring Process (CSO-PROS-1323) to specify metrics and other improvements to continuous monitoring on June 15, 2018.

The NRC considers this GAO recommendation to be closed.

12 The U.S. Government Accountability Office Report - Information Technology: Agencies Need to Improve Their Application Inventories to Achieve Additional Savings September 2016 (GAO-16-511)

The Federal Government is expected to spend more than $90 billion on IT in fiscal year 2017.

This includes a variety of software applications supporting agencies enterprise needs. Since 2013, OMB has advocated the use of application rationalization. This is a process by which an agency streamlines its portfolio of software applications with the goal of improving efficiency, reducing complexity and redundancy, and lowering the cost of ownership.

The status of the actions taken by the NRC in response to the GAO recommendation that remained open as of the NRCs last report is provided below.

Recommendation:

To improve federal agencies efforts to rationalize their portfolio of applications, the heads of the Departments of Agriculture, Commerce, Education, Energy, Health and Human Services, Housing and Urban Development, the Interior, Labor, State, Transportation, the Treasury, and Veterans Affairs; and heads of the Environmental Protection Agency; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and U.S. Agency for International Development should direct their Chief Information Officers (CIOs) and other responsible officials to improve their inventories by taking steps to fully address the practices we identified as being partially met or not met.

Status:

The NRC met three out of the four specified areas noted by the GAO and partially met the fourth area. The fourth GAO recommendation was to document the application inventory maintenance process. The NRC maintains a system inventory that includes applications deployed within each system. The NRC has documented this process and it is available on the agencys intranet for staff access.

The NRC considers this GAO recommendation to be closed.

13 The U.S. Government Accountability Office Report - Nuclear Material: Agencies Have Sound Procedures for Managing Exchanges but Could Improve Inventory Monitoring October 2016 (GAO-16-713)

The GAO, in its report, Agencies Have Sound Procedures for Managing Exchanges but Could Improve Inventory Monitoring, made two recommendations to improve inventory monitoring, one of which applies to the NRC. The status of the actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation 1:

Clarify in guidance the conditions under which facilities may carry negative obligation balances.

Status:

The NRC guidance for this area is found in NUREG/BR-0006, Instructions for Completing Nuclear Material Transaction Reports (DOE/NRC Forms 741 and 740M) and NUREG/BR-0007, Instructions for the Preparation and Distribution of Material Status Reports (DOE/NRC Forms 742 and 742C). The most recent revisions of these two documents were published in May 2018. These revisions had been previously available in final draft form to provide instructions to licensees that would be affected by the 10 CFR Part 75 final rule that implemented the Modified Small Quantities Protocol (MSQP) to the United States International Atomic Energy Agency Caribbean Territories Safeguards Agreement. With the rule now in effect, a comprehensive revision of the NUREGs has started. These revisions will address, among other things, the GAOs recommendation to include guidance on obligation balances and reporting. A notice for public comment on the revised draft NUREGs will be published in the Federal Register. The schedule for completing this comprehensive update depends, in part, on the number and nature of the public comments received. However the NRC expects that the revised NUREGs will be completed by the third quarter of fiscal year 2019.

This GAO recommendation remains open.

14 The U.S. Government Accountability Office Report - Strategic Human Capital Management: NRC Could Better Manage the Size and Composition of Its Workforce by Further Incorporating Leading Practices April 2017 (GAO-17-233)

The GAO, in its report, "Strategic Human Capital Management: NRC Could Better Manage the Size and Composition of Its Workforce by Further Incorporating Leading Practices, made recommendations to the NRC to further enhance strategic human capital management practices. The GAO indicated that using forward-looking strategies, setting goals, using data-driven planning and accountability systems, and ensuring that employees have the relevant knowledge to carry out their responsibilities are essential for strategic human capital management. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.

Recommendation 1:

Set agencywide goals, which could be ranges, for overall workforce size and skills composition that extend beyond the 2-year budget cycle.

Status:

On July 5, 2017, the NRCs Executive Directive for Operations (EDO) initiated a three-office pilot project of an Enhanced Strategic Workforce Planning (SWP) process for NRC that better integrates workload projection, skills identification, human capital management, individual development, and workforce management activities. Two headquarters offices and one regional office participated in the pilot project, which concluded in June 2018. A lessons-learned report found that the six steps provided a sound, repeatable process that was used to prepare a projection for staff of the anticipated type and amount of work in the pilot organizations. Following the lessons learned report, the NRC SWP implementation team made recommendations for adjusting the process and expanding implementation to additional offices and regions.

In August 2018 the agency began implementing Phase II of SWP in 11 offices, including all four regions, and other major NRC offices, representing approximately 79% of the agencys workforce. The phased approach helps to build capability to support the process. The results of Phase II will be available in July 2019, at which time the EDO will determine the scope of Phase III.

This GAO recommendation remains open.

Recommendation 2:

Establish a systematic, comprehensive approach for tracking employee skills information, either through the system developed through the competency modeling pilot program or some other system.

Status:

During the SWP pilot, the NRC developed a standard skills inventory system to track positions and the associated skills for agency-wide use. At the conclusion of the pilot, the lessons-

15 learned assessment included an evaluation of the skills inventory to identify strengths, challenges, estimated resources, and recommended improvements. At the beginning of Phase II, the NRC SWP implementation team capitalized on an existing initiative to modernize the agencys human capital management program with a competency modeling approach. The integration of competency models with SWP will enable employees to assess their own skills against positions with forecasted needs, thus enabling the agency to catalog skill sets and empower employees to direct their career path towards areas of mission need. The NRC has developed competency models for the majority of the core positions identified in Phase II and employees will begin to use the system by the end of FY 2019.

This GAO recommendation remains open.

Recommendation 3:

Consistently train managers and supervisors in strategic human capital management and assessing employee skillsets.

Status:

Training is an integral part of the SWP pilot. All offices and regional management participating in Phase II have been trained on the process and associated SWP concepts. The Office of the Chief Human Capital Officer is looking to incorporate SWP training into existing management training for the remaining management and supervisors by the end of 2020.

This GAO recommendation remains open.

16 The U.S. Government Accountability Office Report - Data Center Optimization: Agencies Need to Address Challenges and Improve Progress to Achieve Cost Savings Goal August 2017 (GAO-17-448)

In December 2014, the Federal Information Technology Acquisition Reform Act was enacted. It contained a series of provisions related to improving the performance of data centers, including requiring the U.S. Office of Management and Budget (OMB) to establish optimization metrics and agencies to report on progress toward meeting the metrics. OMBs Federal Chief Information Officer subsequently launched the Data Center Optimization Initiative to build on prior data center consolidation and optimization efforts.

GAO reviewed data center optimization. The status of the actions taken by NRC in response to the GAO recommendation is provided below.

Recommendation:

The Secretaries of Agriculture, Commerce, Defense, Homeland Security, Energy, HHS, Interior, Labor, State, Transportation, Treasury, and VA; the Attorney General of the United States; the Administrators of EPA, GSA, and SBA; the Director of OPM; and the Chairman of the NRC take action to, within existing OMB reporting mechanisms, complete plans describing how the agency will achieve OMBs requirement to implement automated monitoring tools at all agency-owned data centers by the end of fiscal year 2018.

Status:

During the third quarter of fiscal year 2018, the NRC awarded a contract to implement a Data Center Infrastructure Management (DCIM) solution to install and run automated monitoring tools and power monitoring at all tiered agency-owned data centers. During the implementation of the DCIM solution, it was determined that additional equipment was needed to adequately provide power monitoring. The NRC is in the process of procuring additional equipment, tools, and GSA building services needed to provide power monitoring. The NRC anticipates that the additional equipment, tools, and services will be procured by the end of fiscal year 2019.

This GAO recommendation remains open.

17 The U.S. Government Accountability Office Report - Information Technology: Agencies Need to Involve the Chief Information Officers in Reviewing Billions of Dollars in Acquisitions January 2018 (GAO-18-42)

The federal government invested more than $90 billion in Information Technology (IT) in fiscal year 2016. However, prior IT expenditures have produced failed projects. Recognizing the severity of issues, in December 2014, Congress enacted IT acquisition reform legislation (referred to as the Federal Information Technology Acquisition Reform Act or FITARA). FITARA includes implementation guidance that requires covered agencies chief acquisition officers to identify IT contracts for the Chief Information Officers (CIOs) to review and approve. In the report, GAO examined federal agencies IT contracts, the amounts of investments in those contracts, and whether or not agency CIOs are reviewing and approving IT acquisitions. GAO had one recommendation for the NRC. The status of actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation 33:

The Chairman of the NRC should ensure that the office of the senior procurement executive is involved in the process to identify IT acquisitions.

Status:

On June 25, 2018, the NRC issued an internal Acquisition Instruction that outlines the process for requesting the purchase of any IT equipment or service. The Acquisition Instruction specifies that the Office of the Senior Procurement Executive must be involved in the process to identify information technology acquisitions.

The NRC considers this GAO recommendation to be closed.

18 The U.S. Government Accountability Office Report - Federal Chief Information Officers:

Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities August 2018 (GAO-18-93)

The GAO, in its report, Federal Chief Information Officers: Critical Actions Needed to Address Shortcomings and Challenges in Implementing Responsibilities, made one recommendation to the NRC to ensure that the agencys information technology (IT) management policies address the role of the CIO for key responsibilities in five areas - IT Leadership and Accountability, IT Strategic Planning, IT Workforce, IT Investment Management, and Information Security. The status of actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation 23:

The Chairman of the Nuclear Regulatory Commission should ensure that the agency's IT management policies address the role of the CIO for key responsibilities in the five areas we identified.

Status:

The NRC is in the process of revising the agencys IT/Information Management Strategic Plan.

The Plan will describe the CIOs roles and responsibilities for benchmarking agency processes against private and public sector performance under the IT Strategic Planning area. The Strategic Plan will address CIO responsibilities and guide future NRC efforts in the areas identified by GAO. The NRC plans to complete the revision in the second quarter of fiscal year 2019.

The NRC will update applicable guidance to include IT workforce CIO authorities by the end of the second quarter of fiscal year 2020.

This GAO recommendation remains open.

19 The U.S. Government Accountability Office Report -- Nuclear Regulatory Commission:

Additional Action Needed to Improve Process for Billing Licensees March 2018 (GAO-18-318)

The GAO, in its report, Nuclear Regulatory Commission: Additional Action Needed to Improve Process for Billing Licensees provided five recommendations to the U.S. Nuclear Regulatory Commission (NRC). The status of the actions taken by the NRC in response to the GAO recommendations is provided below.

Recommendation 1:

Formally communicate to all licensees that supplemental billing information including biweekly reports and monthly status reports on contractor charges is available and how to request it.

Formal communication that would reach all licensees could include adding information to their quarterly invoices.

Status:

On the invoices issued in January 2019, the NRC formally communicated to licensees that they may request additional information by submitting the NRC Form 527, Request for Information Related to Contractor Charges in Accordance with 10 CFR 170.51, which was developed in response to Recommendation 2 of this GAO report. This information will continue to be communicated on future invoices.

The NRC considers this GAO recommendation to be closed.

Recommendation 2:

Develop policy and guidance for staff on what billing information related to contractor charges NRC staff can provide to licensees and how it should be provided.

Status:

The NRC developed a formalized process, as well as policy and guidance for NRC staff related to releasing billing information on contractor charges. The NRC financial system used to pay contractors and generate licensee invoices does not capture the level of contractor charge detail requested by licensees; therefore, we are unable to provide that level of detailed information on the invoice. However, contractors provide additional details in the form of a status report, which is typically sent each month to the technical staff responsible for oversight of the contract work.

Since the contractor monthly status reports contain sensitive and proprietary information, the NRC developed policy and guidance for staff related to releasing contractor information to licensees. In addition, NRC developed a form for licensees to request additional information on contractor charges on their bill, NRC Form 527, Request for Information Related to Contractor Charges In Accordance with 10 CFR § 170.51, which is available on NRCs public website.

The NRC considers this GAO recommendation to be closed.

20 Recommendation 3:

As the NRC plans its transition to electronic billing, the Chief Financial Officer of the NRC should develop a project plan that incorporates standards for project management, which includes establishing plans for schedule and cost.

Status:

The NRC completed the electronic billing (eBilling) project plan on December 19, 2018.

The NRC considers this GAO recommendation to be closed.

Recommendation 4:

In developing the project plan for electronic billing, the Chief Financial Officer of the NRC should include steps to involve licensees in developing system capabilities, which includes soliciting and considering licensees information needs.

Status:

The NRC initiated outreach to a sampling of licensees to understand their system requirements for an eBilling application and a group of licensees then assisted the NRC in the initial requirements gathering. During the development phase, the NRC will continue to work with this sampling of nine licensees who have agreed to participate in various project activities.

In November 2018, the NRC conducted eBilling user experience sessions with each of the nine participating licensees. The nine licensees were shown "concept screens" of the eBilling application that were developed based on the requirements received from the NRC internal and external (sampling of Licensees) stakeholders. The licensees were given an opportunity to provide feedback on the aesthetics and functionality of each screen. The results of the user experience sessions were documented in the January 17, 2019, NRC eBilling User Experience Sessions Report and provided to NRC management for review.

The nine licensees will also participate in the two eBilling pilot project efforts targeted for May and July 2019. They will be going into the eBilling application and testing its functionality and intuitiveness and providing feedback to the NRC eBilling team. Due to the complexity of this effort, the feedback from the first pilot will be incorporated into the second pilot and the results from the second pilot are anticipated to be "fine tuning" in nature. The eBilling team provides the nine licensees with monthly updates on the progress of the eBilling efforts via email communications for their awareness and planning purposes.

The NRC considers this GAO recommendation to be closed.

Recommendation 5:

In developing the project plan for electronic billing, the Chief Financial Officer of the NRC should include steps to assess the results of implementing electronic billing, which includes comparing the actual performance to intended outcomes.

21 Status:

The NRC continues to assess the metrics that will provide the most value and will incorporate them into the project plan. Potential areas for metrics to assess the effectiveness of the eBilling solution include payment timeliness, billing dispute resolution timeliness, and licensee participation rates in eBilling.

This GAO recommendation remains open.

22 The U.S. Government Accountability Office Report - Cybersecurity Workforce: Agencies Need to Improve Baseline Assessments and Procedures for Coding Positions June 2018 (GAO-18-466)

The GAO, in its report, Cybersecurity Workforce: Agencies Need to Improve Baseline Assessments and Procedures for Coding Positions, provided two recommendations to the NRC regarding full implementation of the requirements of the Federal Cybersecurity Workforce Assessment Act of 2015. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.

Recommendation 23:

The Chairman of the Nuclear Regulatory Commission should ensure that agency procedures account for the fact that IT, cybersecurity, and cyber-related positions will extend beyond the Information Technology Management 2210 occupational series.

Status:

The NRC revised the NRC Cybersecurity Coding Procedures in November 2017 to incorporate the following language: The initiative is not limited to positions in the 2210 occupational series.

This effort includes any position that has IT, cybersecurity, and cyber-related functions in series 0099-2299.

The NRC considers this GAO recommendation to be closed.

Recommendation 24:

The Chairman of the Nuclear Regulatory Commission should fully clarify requirements to assign up to three employment codes per position in order of their criticality in agency procedures.

Status:

The NRC revised the NRC Cybersecurity Coding Procedures in November 2017 to incorporate the following language: Each cybersecurity position can have up to three codes, and [c]odes should be assigned in descending order according to the level of criticality of the respective position. The NRC further revised the procedures to give examples of how codes should be assigned if a position has multiple cybersecurity roles.

The NRC considers this GAO recommendation to be closed.